WE TALK ABOUT IT WITH AN EXPERT: VITTORIO BOERO, PIAGGIO GROUP CHIEF INFORMATION OFFICER (CIO). EXPLAINING HOW ARE IMPORTANT AWARENESS, TRAINING, AND COLLABORATION WITHIN ORGANISATIONS.
April 2023 (G.T.) – All the data are marked with the + sign, and that is not good news. Cyber-attacks are constantly on the rise all over the world, year after year, and they spare no one. In 2022, the increase of attacks with respect to 2021 confirms the trend. Based on the type of companies affected, estimates say that the attacks increased 77.8% in the Telecommunications sector, 76.7% in the Financial/Insurance/Banking sector, + 51.2% in public organisations, + 50% in information and multimedia companies, and +34% in the industrial and manufacturing sectors. In the ICT, energy and utilities, and healthcare areas, an increase of attacks was recorded between 11 and 2%.
In the Privacy & GDPR area alone (General Data Protection Regulation, the European personal data protection regulation that went into effect in May 2018), in 2022 the Authority levied a total of €832 million in fines all over Europe. Another piece of information that provides a “snapshot” of just how big the issue is: like many countries around the world, India is suffering more and more due to cybercrime. There were 208,456 cyber-attacks reported in 2018 and, just in the first 2 months of 2022, 212,485 cybercrimes were reports, more than all of 2018. And in the first six months of 2022, cyber-attacks in India rose another 15.3%.
Vittorio Boero, Piaggio Group CIO (Chief Information Officer).
An alarming overview, and Vittorio Boero, Piaggio Group CIO, had this to say about it: “Not only are cyber-attacks up with respect to 2021, but they are also more serious and invasive, with significant repercussions on the economy, considering the fact that the estimated worldwide damages for 2021 amount to $6 trillion. And this number is expected to rise 15% annually, reaching $10.5 trillion by 2025.”
Mr. Boero, how are companies tackling the problem of cyber-attacks?
“To prevent damage, companies are increasing their cyber security budgets. Gartner (a major global technology research company) found that global expenditures for cyber security went up from $150 billion in 2021 to $172.5 billion in 2022 (+13%), and they are expected to rise to $267.3 billion in 2026 (+12% yearly).”
THE “ENEMIES”: RANSOMWARE AND PHISHING
What are the most frequent types of attacks?
“I would divide them into two macro areas. Ransomware, in other words, harmful computer programs that can ‘infect’ digital devices, blocking access to their content, with the goal of demanding a ‘ransom’ to release them; and Phishing, the rampant cyber scams which, via email with counterfeit logos/senders, have the goal of eliciting confidential data (both from private citizens and from companies and organisations).”
What are the trends in these areas of cybercrime?
“The snapshot is light and dark. In short, in 2023, Europe could overtake the USA as the area with more ransomware attacks. An increase has been detected of attacks for the purpose of data exfiltration for extortion for brand reputation or privacy; a decrease of extortion for the purpose of restoring encrypted data; a decrease of organisations which have paid the ransom with respect to ransomware attacks. And there’s more. An increase in the demand for cyber-attack and ransomware insurance, but I should point out that the insurance companies will only insure enterprises with an adequate level of protection and at significantly increasing premiums. Some insurance companies could no longer underwrite cyber policies. And, last but not least, an increase in sales of already exfiltrated credentials and information on semi-compromised companies on the dark web, which translates into easier attacks which are even accessible to younger and less skilled hackers.”
So, Mr. Boero points out, it has become increasingly more important for the entire Piaggio Group to implement solutions that are constantly on the cutting edge in order to mitigate the increasingly more prevalent cyber-attack risks.
Vittorio Boero, Piaggio Group CIO, with some Cyber Security & Risk Management staff members, Riccardo Loggini and Laura Nardi, in the Information & Communication Technologies area.
“As for the predictable evolution of Phishing, Vittorio Boero continues, “we can sum it up this way: it confirms the trend of hackers shifting their goals from control of the end point (PC/server) to that of the users’ identities. The goal is not to control, but to have access to information. Phishing-as-a-Service sales on the dark web are up. This entails the rental of all the necessary equipment (from information collection servers to emailing systems) to carry out phishing campaigns. The use of techniques to overcome, along with credential theft, also Multi Factor Authentication type safeguards. And the use of Vishing (voice phishing) to carry out phishing via voice message or telephone call has also risen and, passing themselves off as bank employees, an Internal Revenue agent, or an insurance agent, they ask victims to install (malicious) apps or to provide them with data and credentials. Other variations of attacks on the rise: Qrishing (phishing via QRCode) especially in the banking area, and Smishing (phishing via SMS) in the banking and logistics area (parcel shipment); and, last but not least, phishing targeting specific groups of individuals (Spear Phishing) or a single individual in a high position (Whaling) is on the rise.”
So, it’s easy to understand how the “attack technique” scene is becoming increasingly more varied and sophisticated.
Image source and useful publications: CSIRT-Computer Security Incident Response Team, in the area of the Agency for national cyber security (ACN-Italian Government): www.csirt.gov.it/pubblicazioni
CONTRAST AND ENFORCEMENT ACTIONS: VULNERABILITY MANAGEMENT.
How are companies tackling the risks of cyber-attacks and how do they defend themselves?
“Starting from Vulnerability Management: this is a cyclic process (which, therefore, should be repeated periodically over time), that can be summed up in five steps: Identification of the assets to be verified; Scanning with specific tools to detect vulnerabilities; Analyses of the report to classify the vulnerabilities based on their criticality; Remediation actions, through patching, reconfiguration, application updates, etc.); Verification through further scanning that the vulnerability is actually closed. However, be aware that the risk cannot be entirely eliminated (hackers are always constantly active identifying new software vulnerabilities!) but it can be mitigated by increasing the frequency and the effectiveness of the Vulnerability Management process. And, obviously, bolstering the parallel Incident Management cyclic process with quick and effective interventions in the event of intrusions, constant monitoring, containment actions, and restoration of any damaged applications or services.”
How important is the awareness and collaboration of company employees in combating cyber-attacks and incidents?
“Extremely important: companies must constantly tackle attacks that come both from outside (carried out by hackers beyond their company perimeter) and internal (for example in cases of malware on a PC, theft of credentials via phishing, incorrect actions by the users such as access to compromised websites, and so on. So, increasing staff awareness of the risks that they run, increasing their knowledge on these issues through continuous information and training, and in general promoting the involvement and collaboration of all, at every level of the company, is a daily effort.”
In managerial terms, what are the most innovative actions in terms of prevention and protection?
“There are many. They range from increasing monitoring capabilities to be able to detect intrusions and unlawful behaviour as early as possible to the implementation of ‘peripheral and application’ protection, from improving preventive protection to reducing the propagation of attacks within the company to increasing the Security Awareness of internal users through training actions focusing on cyber security. I’d say that these are the most innovative projects implemented by the most advanced companies, such as the Piaggio Group.”
And we conclude the interview with Vittorio Boero with a final thought on the concept of the NIST Cybersecurity framework, depicted in the image below, which allows the positioning of the company in terms of Cybersecurity to be assessed.
CYBERSECURITY FRAMEWORK BY NIST
(The National Institute of Standards and Technology,
US Department of Commerce, United States Government).
In order to tackle all of the elements described above, the Piaggio Group has implemented an international framework which details the areas to be traced and the suggested and required rules for the purpose of preparing a valid “protection network”. This is a foundation on which to build the various levels of the company’s security, permanently monitoring its effectiveness and assessing the additional solutions to be applied.
Image source and Cyberwatching.eu info: cyberwatching.eu/nist-cybersecurity-framework
Identify: know the perimeter to be protected, namely the company business, the applications, the infrastructures, the software, the data, regulations, etc.
Protect: implement technologies, processes, people, and measures needed to protect yourself against attacks and limit the damage.
Detect: constantly monitor the perimeter to detect the presence of malicious activity, unauthorised accesses, unlawful actions, and risky behaviour.
Respond: set up and implement the most effective and fastest strategy for responding to a security incident or an attack, proceeding with blocking and mitigating damage.
Recover: define and implement the most effective strategy for the quick and effective recovery of data, applications, and services. In general, recover what was compromised during the cyber incidents/attacks, in line with the prevailing regulations and the specific requirements of the business.
And here we’ll add the “golden rule” that does not appear in the post action reports, but which must always be present: lesson learned! That is to say that even critical moments contribute to continuous improvement. And this viaticum is always valid in any area, not just for Cyber security.
For more information, search the Governmental Agency for national cyber security in your Country.
In Italy: www.acn.gov.it
